<div dir="ltr">Andreas, many thanks for your email.<div><br></div><div>I have now managed to get that working, performing attestation through the ASA using the PT-TLS protocol! </div><div><br></div><div>Does it have to be kicked off using the command line utility pt-tls-client?</div><div><br></div><div>I couldn't find any documentation for the tnc-pdp plugin. Can I use it to setup a gateway, deciding to allow the device onto a network if it passes (like that of your IMA wiki example) with an ipsec.conf file, or is it just geared around receiving the pt-tls-client request and performing the integrity measurement verification? I can see the measurement pass or fail but I'm struggling to see how I can set something up to periodically ask for that measurement and if not successful, not allow the device onto my network.</div><div><br></div><div>Regards,</div><div><br></div><div>Chris</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Nov 16, 2017 at 7:25 AM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Mario,<br>
<br>
if the Cisco ASA does not tunnel the strongSwan IKE traffic then just<br>
do remote attestation via the PT-TLS protocol. On the client side you<br>
can use the strongSwan pt-tls-client and on the server side add the<br>
tnc-pdp plugin listening on the PT-TLS TCP port 271 to the strongSwan<br>
charon daemon.<br>
<br>
Regards<br>
<br>
Andreas<span class=""><br>
<br>
On 15.11.2017 23:22, Mario Maldonado wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Hi all,<br>
<br>
I wish to use StrongSwan for remote attestation through a Cisco ASA, eg:<br></span>
StrongSwan gateway ====<a href="http://192.168.0.0/24====" rel="noreferrer" target="_blank">192.168.0.0/24====</a> <<a href="http://192.168.0.0/24====" rel="noreferrer" target="_blank">http://192.168.0.0/24====</a>><br>
ASA ====<a href="http://192.168.1.0/24====" rel="noreferrer" target="_blank">192.168.1.0/24====</a> <<a href="http://192.168.1.0/24====" rel="noreferrer" target="_blank">http://192.168.1.0/24====</a>> Device<span class=""><br>
<br>
With no ASA I have successfully configured StrongSwan with remote<br>
attestation using the EAP-TTLS plugin. I have also managed to configure<br>
a StrongSwan connection to the ASA, giving me access to the<br>
</span><a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> <<a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">http://192.168.0.0/24</a>> subnet. I am then unable to bring<span class=""><br>
up the attestation connection. I was hoping it would setup a tunnel<br>
within the ASA tunnel but from what I understand IKE traffic is exempt<br>
from the negotiated tunnel (preventing nested tunnels) and then blocked<br>
by the ASA.<br>
<br>
Is there a way around this / a nice way of achieving such a connection?<br>
<br>
Can I use StrongSwan for TNC integrity measurement without the tls<br>
tunnel? This way the TPM and IMA measurements can be sent through the<br>
ASA tunnel with no issues. From looking around the docs it looks like<br>
the only way of performing remote attestation is with the EAP-TTLS<br>
plugin? This would also be ideal as the traffic only has to be decrypted<br>
once by the device.<br>
<br>
Many thanks,<br>
<br>
Mario<br>
</span></blockquote><span class="HOEnZb"><font color="#888888">
<br>
-- <br>
==============================<wbr>==============================<wbr>==========<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.<wbr>org</a><br>
strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br>
Institute for Networked Solutions<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
==============================<wbr>=============================[<wbr>INS-HSR]==<br>
<br>
</font></span></blockquote></div><br></div></div>